Slow WAN with Winbox open - RESOLVED

jpeppard · Tue Jun 11, 2024 7:22 pm

Hi all, recently VLANned my home network and installed a CCR2004 at the same time. I am seeing some issues with TCP transfer rate.

Concerned flow:
Win 11 desktop Intel SFP+ <--- 10g DAC --> CRS310 <---10g DAC ----> CCR2004 <---10G RJ45 ---> Google Fiber modem

When I connect the desktop directly to google fiber modem, DL happens at nearly wire speed, consistent ~215MBps:

directtoWAN.png

When desktop is connected as above (on MGMT VLAN 99) via CRS310 and CCR2004, DL speed starts okay (~100MBps) and slowly drops to half or less (~45MBps).

ccr20041.png

ccr20042.png

I see from Wireshark capture that the data payload is about 1512 in size. When connected via CCR2004, I don't see any cores reaching 100% during download test.

Am I missing something in my config that would explain poor WAN speed like this?

CCR2004 conf:

# 2024-06-11 10:18:58 by RouterOS 7.15.1
# software id =
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add admin-mac=48:A9:8A:B3:EC:D8 auto-mac=no frame-types=\
    admit-only-vlan-tagged name=RouterBridge priority=0x1000 vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] comment="FRACTAL IPMI"
set [ find default-name=ether2 ] comment="FRACTAL PROX MGMT"
set [ find default-name=ether3 ] comment="CRS310 MGMT" disabled=yes
set [ find default-name=ether4 ] comment="Jun Switch MGMT"
set [ find default-name=ether5 ] comment="Desktop Spare"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=WAN speed=\
    10G-baseT
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
    "CRS310 Switch"
/interface wireguard
add listen-port=13231 mtu=1280 name=homeGuard
/interface vlan
add interface=RouterBridge name=VLAN-10-CLIENT vlan-id=10
add interface=RouterBridge name=VLAN-20-WIFI vlan-id=20
add interface=RouterBridge name=VLAN-30-SERVER vlan-id=30
add interface=RouterBridge name=VLAN-40-DMZ vlan-id=40
add interface=RouterBridge name=VLAN-99-MGMT vlan-id=99
/interface list
add name=WAN
add name=LAN
add name=MGMT
add name=DMZ
add name=SERVER
add include=DMZ,LAN,MGMT,SERVER name=Internal
add name=LANNoDMZ
/ip pool
add name=MGMT-POOL ranges=10.218.99.15-10.218.99.254
add name=CLIENT-POOL ranges=10.218.10.2-10.218.10.254
add name=WIFI-POOL ranges=10.218.20.2-10.218.20.254
add name=SERVER-POOL ranges=10.218.30.20-10.218.30.254
add name=DMZ-POOL ranges=10.218.40.2-10.218.40.254
/ip dhcp-server
add address-pool=CLIENT-POOL interface=VLAN-10-CLIENT lease-time=10m name=\
    CLIENT-DHCP
add address-pool=WIFI-POOL interface=VLAN-20-WIFI lease-time=10m name=\
    WIFI-DHCP
add address-pool=SERVER-POOL interface=VLAN-30-SERVER lease-time=10m name=\
    SERVER-DHCP
add address-pool=DMZ-POOL interface=VLAN-40-DMZ lease-time=10m name=DMZ-DHCP
add address-pool=MGMT-POOL interface=VLAN-99-MGMT lease-time=10m name=\
    MGMT-DHCP
/port
set 0 name=serial0
set 1 name=serial1
/queue interface
set sfp-sfpplus1 queue=multi-queue-ethernet-default
set sfp-sfpplus2 queue=multi-queue-ethernet-default
/routing pimsm instance
add disabled=yes name=pimsm-instance1 vrf=main
/interface bridge port
add bridge=RouterBridge frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus2
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=99
add bridge=RouterBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=99
add bridge=RouterBridge frame-types=admit-only-vlan-tagged interface=ether16
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 vlan-ids=10
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 untagged=\
    ether1,ether2,ether3,ether4,ether5 vlan-ids=99
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2,ether16 vlan-ids=20
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2 vlan-ids=30
add bridge=RouterBridge tagged=RouterBridge,sfp-sfpplus2 vlan-ids=40
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=VLAN-99-MGMT list=MGMT
add disabled=yes interface=ether2 list=MGMT
add disabled=yes interface=ether3 list=MGMT
add disabled=yes interface=ether4 list=MGMT
add disabled=yes interface=ether5 list=MGMT
add interface=VLAN-10-CLIENT list=LAN
add interface=VLAN-20-WIFI list=LAN
add interface=VLAN-30-SERVER list=SERVER
add interface=VLAN-40-DMZ list=DMZ
add interface=homeGuard list=Internal
add interface=VLAN-10-CLIENT list=LANNoDMZ
add interface=VLAN-20-WIFI list=LANNoDMZ
add interface=VLAN-30-SERVER list=LANNoDMZ
add interface=VLAN-99-MGMT list=LANNoDMZ
add interface=RouterBridge list=LAN
/interface wireguard peers
add allowed-address=10.219.0.4/32 comment=IPAD interface=homeGuard name=peer3 \

add allowed-address=10.219.0.5/32 comment=MACBOOK interface=homeGuard name=\

add allowed-address=10.219.0.3/32 interface=homeGuard name=peer2 public-key=\

/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether15 \
    network=192.168.88.0
add address=10.218.10.1/24 interface=VLAN-10-CLIENT network=10.218.10.0
add address=10.218.20.1/24 interface=VLAN-20-WIFI network=10.218.20.0
add address=10.218.30.1/24 interface=VLAN-30-SERVER network=10.218.30.0
add address=10.218.40.1/24 interface=VLAN-40-DMZ network=10.218.40.0
add address=10.218.99.1/24 interface=VLAN-99-MGMT network=10.218.99.0
add address=10.219.0.1/24 interface=homeGuard network=10.219.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease

/ip dhcp-server network
add address=10.218.10.0/24 gateway=10.218.10.1
add address=10.218.20.0/24 gateway=10.218.20.1
add address=10.218.30.0/24 gateway=10.218.30.1
add address=10.218.40.0/24 gateway=10.218.40.1
add address=10.218.99.0/24 gateway=10.218.99.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Accept established, related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=\
    invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WireGuard from WAN" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard Input" in-interface=\
    homeGuard src-address=10.219.0.0/24
add action=accept chain=input comment="Allow input from MGMT" \
    in-interface-list=MGMT
add action=accept chain=input comment="Allow MacBook to MGMT" in-interface=\
    VLAN-20-WIFI src-address=10.218.20.5
add action=accept chain=input comment="Allow iPhone to MGMT" in-interface=\
    VLAN-20-WIFI src-address=10.218.20.6
add action=accept chain=input comment="Allow DNS from all internal" dst-port=\
    53 in-interface-list=Internal protocol=udp
add action=accept chain=input comment="Allow DNS from all internal" dst-port=\
    53 in-interface-list=Internal protocol=tcp
add action=drop chain=input comment="Drop all other Input"
add action=fasttrack-connection chain=forward comment="FAST TRACK FORWARD" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Forward Established and Tracked" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid forward" \
    connection-state=invalid
add action=accept chain=forward comment="Allow internal clients to internet" \
    connection-state=new in-interface-list=Internal out-interface-list=WAN
add action=accept chain=forward comment="Allow MGMT to ALL Internal" \
    in-interface-list=MGMT out-interface-list=Internal
add action=accept chain=forward comment="PLEX Forward to DMZ" dst-port=32400 \
    in-interface=sfp-sfpplus1 protocol=tcp
add action=accept chain=forward comment="Allow DMZ Docker to access NFS" \
    dst-address=10.218.30.5 in-interface=VLAN-40-DMZ src-address=10.218.40.3
add action=accept chain=forward comment="Allow Internal Clients to Plex DMZ" \
    dst-address=10.218.40.3 in-interface-list=LANNoDMZ
add action=accept chain=forward comment="WireGuard to LAN" in-interface=\
    homeGuard out-interface-list=Internal
add action=accept chain=forward comment="WireGuard to LAN" in-interface=\
    homeGuard out-interface-list=WAN
add action=drop chain=forward comment="Drop invalid forward" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    sfp-sfpplus1
add action=drop chain=forward comment="Drop All Other Forward"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp-sfpplus1 \
    protocol=tcp to-addresses=10.218.40.3 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Denver
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

CRS310 conf:

# 2024-06-11 10:20:43 by RouterOS 7.15
# software id =
#
# model = CRS310-1G-5S-4S+
# serial number =
/interface bridge
add admin-mac=18:FD:74:6A:F2:E7 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=DESKTOP
set [ find default-name=sfp-sfpplus3 ] comment="SERVER FRACTAL"
set [ find default-name=sfp-sfpplus4 ] comment="CCR2004 RTR UPLINK"
/interface vlan
add interface=bridge name=vlan-99-mgmt vlan-id=99
/port
set 0 name=serial0
/queue interface
set sfp-sfpplus1 queue=multi-queue-ethernet-default
set sfp-sfpplus3 queue=multi-queue-ethernet-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=99
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=sfp1 pvid=10
add bridge=bridge comment=defconf interface=sfp2
add bridge=bridge comment=defconf interface=sfp3
add bridge=bridge comment=defconf interface=sfp4
add bridge=bridge comment=defconf interface=sfp5
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus4 untagged=sfp1,sfp2,sfp3,sfp4 vlan-ids=\
    10
add bridge=bridge tagged=sfp-sfpplus4,bridge untagged=sfp-sfpplus1,ether1 \
    vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus3,sfp-sfpplus4 vlan-ids=30
add bridge=bridge tagged=sfp-sfpplus3,sfp-sfpplus4 vlan-ids=40
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=10.218.99.2/24 interface=vlan-99-mgmt network=10.218.99.0
/ip dns
set servers=8.8.8.8
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.218.99.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/Denver
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os

jpeppard · Tue Jun 11, 2024 7:44 pm

UPDATE:
I can reliably recreate the slow WAN speed ONLY when I have a Winbox connection open with the CCR2004. Once this session is closed, the speed returns to full line level.

The slow down with Winbox open affects both the admin desktop mentioned in the opening post and a separate download host in another subnet.

Surely I have misconfigured something as I don't think this should be happening

Edit: Seems related to what windows I have open on the Winbox session. Perhaps I opened something with intensive monitoring which slows down the connection? After closing all windows, WAN speed is restored. I don't think it was PCAP - even with PCAP running I still get full line speed with all other Winbox windows closed (albeit at 60-70% router CPU).

jpeppard · Wed Jun 12, 2024 1:59 am

UPDATE:
It is the System health window! I had opened it to monitor system temp during bandwidth testing.

With all other windows in Winbox closed speeds are normal, with system health window open, my WAN speed tanks.

Maybe already known issue but I will file a bug report.

EDIT: This is known, documented specifically for CCR2004. Thanks for coming!

https://help.mikrotik.com/docs/display/ROS/Health

Slow WAN with Winbox open - RESOLVED

Slow WAN with Winbox open - RESOLVED

Re: Slow TCP Performance on CCR2004

Re: Slow WAN with Winbox open